National Data Protection Authority
The United States data protection landscape spans a fragmented but increasingly consequential network of federal statutes, sector-specific regulations, state privacy laws, and enforcement actions — each with distinct scope, applicability thresholds, and penalty structures. This reference covers the full architecture of that landscape: the agencies with enforcement authority, the legal frameworks that define compliance obligations, and the professional and technical standards that govern how organizations handle personal data. With more than 40 published reference pages covering topics from breach notification timelines to biometric data rules, this site serves as a structured entry point for professionals, researchers, and organizations navigating U.S. data protection requirements.
- The Regulatory Footprint
- What Qualifies and What Does Not
- Primary Applications and Contexts
- How This Connects to the Broader Framework
- Scope and Definition
- Why This Matters Operationally
- What the System Includes
- Core Moving Parts
The Regulatory Footprint
No single federal data protection law in the United States governs all sectors uniformly. Instead, at least 15 sector-specific and cross-sectoral federal statutes — including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Children's Online Privacy Protection Act (COPPA), and the Family Educational Rights and Privacy Act (FERPA) — govern discrete categories of data and entity types.
At the federal level, the Federal Trade Commission (FTC) holds the broadest cross-sector enforcement authority through Section 5 of the FTC Act, prohibiting unfair or deceptive practices. As documented in FTC data security enforcement actions, the agency has issued consent orders and civil penalties against organizations across retail, health, and technology sectors for inadequate data security practices. The FTC's authority does not extend to common carriers, nonprofit organizations, or financial institutions subject to the Gramm-Leach-Bliley Act's primary regulator (which includes the SEC, FDIC, and OCC).
At the state level, all 50 states have enacted data breach notification laws, and at least 13 states have passed comprehensive consumer privacy statutes as of 2024, according to the International Association of Privacy Professionals (IAPP). California's Consumer Privacy Act (CCPA), amended by the CPRA, remains the most expansive state framework, establishing rights to access, deletion, correction, and opt-out from data sale — with the California Privacy Protection Agency (CPPA) holding primary enforcement authority and a civil penalty ceiling of $7,500 per intentional violation (Cal. Civ. Code § 1798.155).
The NIST Privacy Framework, Version 1.0, published by the National Institute of Standards and Technology, provides a voluntary but widely adopted reference model for organizations seeking to operationalize privacy risk management independently of sector-specific mandates.
What Qualifies and What Does Not
Data protection law applies to "personal information" — a category that varies in definition across statutes and jurisdictions. The FTC, HIPAA, CCPA, and NIST each maintain distinct definitional boundaries.
| Framework | Term Used | Core Scope | Explicit Exclusions |
|---|---|---|---|
| HIPAA | Protected Health Information (PHI) | Health data linked to an individual; held by covered entities or business associates | De-identified data (per 45 CFR §164.514) |
| CCPA/CPRA | Personal Information | Broadly defined; includes inferences, biometrics, geolocation | Publicly available government records; B2B data (partial) |
| GLBA | Nonpublic Personal Information (NPI) | Financial data from consumers of financial services | Business/commercial customer data |
| COPPA | Personal Information (under 13) | Name, address, geolocation, photos, persistent identifiers for children | Aggregate or de-identified data; internal operations |
| NIST SP 800-122 | Personally Identifiable Information (PII) | Linkable information that can distinguish or trace an individual | Aggregate statistics; anonymized records |
Anonymized and de-identified data do not trigger most statutory obligations — but the standard for de-identification is legally defined, not simply a matter of removing a name. Under HIPAA's Safe Harbor method, 18 specific identifiers must be removed (45 CFR §164.514(b)). The CCPA treats de-identified data as excluded only when re-identification is technically infeasible and organizational controls prevent re-linkage.
A common misconception: encryption alone does not remove data from the scope of breach notification obligations. Most state breach notification statutes require notification if encrypted data is exposed alongside the decryption key, or if the encryption standard is demonstrably compromised.
Primary Applications and Contexts
Data protection obligations arise across four primary operational contexts in the U.S.:
Healthcare and Life Sciences: HIPAA's Privacy Rule and Security Rule govern covered entities (hospitals, insurers, clearinghouses) and their business associates. The HHS Office for Civil Rights (OCR) enforces these rules, with penalties structured in four tiers from $100 to $50,000 per violation, capped at $1.9 million per violation category per year (45 CFR §160.404). Reference material on HIPAA data protection requirements covers covered entity classification and technical safeguard standards.
Financial Services: The GLBA Safeguards Rule, revised by the FTC in 2021 and with compliance required by June 2023, mandates that non-bank financial institutions implement written information security programs with 9 specific administrative, technical, and physical safeguard elements. The Gramm-Leach-Bliley financial data reference page documents these requirements in full.
Consumer Technology and Commerce: The FTC Act Section 5, CCPA/CPRA, and emerging state frameworks (Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA) apply to general commercial data processing. Organizations with annual gross revenues exceeding $25 million, data on 100,000 or more consumers, or deriving 50% or more of revenue from data sales fall under CCPA's scope (Cal. Civ. Code §1798.140).
Government and Public Sector: Federal agencies are governed by the Privacy Act of 1974 (5 U.S.C. §552a), which restricts how agencies collect, maintain, and disclose records about individuals. The government agency data protection reference page addresses Privacy Act system-of-records notices and OMB implementation guidance.
How This Connects to the Broader Framework
This site operates within the nationalcyberauthority.com network, which in turn is part of the authorityindustries.com industry reference network — a structured collection of authority properties covering cybersecurity, legal compliance, and regulated professional sectors. Within that hierarchy, this property focuses specifically on data protection regulation, enforcement structures, and compliance frameworks applicable to U.S. organizations.
The NIST Privacy Framework reference documents the five core functions — Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P — that NIST recommends organizations use to structure privacy risk management programs. These functions operate in parallel to the NIST Cybersecurity Framework (CSF), with explicit cross-referencing between the two to reflect that data protection and cybersecurity are operationally interdependent but governed by distinct regulatory requirements.
Cross-border data transfer rules intersect with this framework at a critical seam: when U.S. organizations transfer personal data to or from jurisdictions governed by the EU General Data Protection Regulation (GDPR), the APEC Cross-Border Privacy Rules (CBPR) system, or bilateral adequacy frameworks, a layered compliance obligation applies that no single domestic statute fully addresses.
Scope and Definition
For the purposes of this reference network, "data protection" encompasses the legal, technical, and administrative mechanisms through which organizations:
- Limit collection of personal information to defined and documented purposes (data minimization principles)
- Secure personal information against unauthorized access, disclosure, or destruction
- Provide individuals with rights to access, correct, delete, or restrict processing of their data (data subject rights)
- Notify affected individuals and regulatory bodies when personal data is compromised (data breach notification requirements)
- Retain and dispose of data according to documented schedules consistent with legal hold obligations
This scope expressly excludes general cybersecurity architecture not tied to personal data (network intrusion detection, DDoS mitigation, endpoint hardening unrelated to PII) and corporate confidentiality protections that do not involve personal information.
Why This Matters Operationally
The financial consequences of data protection failures are concrete and measurable. The IBM Cost of a Data Breach Report 2023 placed the global average cost of a data breach at $4.45 million (IBM, 2023). Healthcare breaches cost an average of $10.93 million per incident in the same reporting period — the highest of any sector for the 13th consecutive year.
Beyond direct costs, enforcement actions carry escalating penalty structures. The HHS OCR imposed a $1.25 million settlement on a covered entity in 2023 for failure to conduct an accurate risk analysis under HIPAA's Security Rule. The FTC has pursued civil penalties under COPPA, with Google paying $170 million in 2019 (FTC press release) for violations involving YouTube and children's data — at the time the largest COPPA settlement on record.
Organizations without a designated data protection officer or equivalent accountability role are statistically more likely to experience compliance gaps in risk assessment documentation, privacy impact assessments, and third-party vendor oversight.
What the System Includes
This reference site covers more than 40 distinct topics organized across the following thematic areas:
- Federal statutory frameworks: HIPAA, GLBA, COPPA, FERPA, the Privacy Act of 1974, and the FTC Act's data security application
- State privacy law comparison: Comprehensive coverage of enacted state laws including CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, and breach notification requirements across all 50 states
- Enforcement and penalties: FTC enforcement actions, HHS OCR settlements, and state attorney general actions
- Technical and administrative standards: NIST SP 800-53, NIST SP 800-122, NIST Privacy Framework, data encryption standards, incident response protocols
- Specialized data categories: Biometric data protection laws, sensitive data categories, employee data privacy protections, financial sector data protection
- Emerging and evolving areas: Federal privacy legislation proposals, consent management requirements, privacy by design standards
Core Moving Parts
The data protection compliance function in any organization involves five structural components, each with defined regulatory correlates:
1. Legal Basis and Applicability Assessment
Organizations must determine which statutes apply based on entity type, data category, geographic scope, and consumer demographics. HIPAA applies to covered entities and business associates; CCPA applies based on revenue and volume thresholds; COPPA applies based on the age of the data subject.
2. Data Inventory and Classification
A complete record of processing activities — what data is collected, where it is stored, who has access, and for what purpose — is a prerequisite for nearly all compliance programs. GDPR Article 30 requires this for EU-processing activities; NIST SP 800-53 Control PM-5 recommends system-of-records inventories for federal systems.
3. Risk Assessment and Privacy Impact Analysis
HIPAA requires a documented Security Risk Analysis (SRA) as a foundational element of the Security Rule (45 CFR §164.308(a)(1)). The privacy impact assessments reference page covers the OMB Circular A-130 framework for federal agencies and equivalent commercial practice.
4. Third-Party and Vendor Oversight
HIPAA requires Business Associate Agreements (BAAs) with all vendors that handle PHI. The FTC's Safeguards Rule requires financial institutions to oversee service providers contractually. Third-party vendor data security covers the contractual and technical due diligence standards applicable across sectors.
5. Incident Response and Notification
Breach response timelines vary by framework: HIPAA requires notification within 60 days of discovery for breaches affecting 500 or more individuals (45 CFR §164.412); state laws range from 30 to 90 days; the SEC's 2023 cybersecurity disclosure rules require material breach disclosure as processing allows for public companies (17 CFR §229.106). The incident response and data breach reference page maps these timelines by framework.
References
- Federal Trade Commission — Section 5, FTC Act and Data Security
- U.S. Department of Health & Human Services — HIPAA for Professionals
- Electronic Code of Federal Regulations — 45 CFR Part 164 (HIPAA Security Rule)
- NIST Privacy Framework, Version 1.0
- NIST Special Publication 800-122: Guide to Protecting PII
- FTC — Gramm-Leach-Bliley Act
- FTC — Children's Online Privacy Protection Rule (COPPA)
- California Legislative Information — Civil Code §1798.100 et seq. (CCPA/CPRA)
- [U.S. Department of Justice — Privacy Act of 1974 (5 U.S.C. §552a)](https://www.justice.gov